load_policy.c revision 25985edcedea6396277003854657b5f3cb31a628 
1/*
2 * security/tomoyo/load_policy.c
3 *
4 * Policy loader launcher for TOMOYO.
5 *
6 * Copyright (C) 2005-2010  NTT DATA CORPORATION
7 */
8
9#include "common.h"
10
11/* path to policy loader */
12static const char *tomoyo_loader = "/sbin/tomoyo-init";
13
14/**
15 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
16 *
17 * Returns true if /sbin/tomoyo-init exists, false otherwise.
18 */
19static bool tomoyo_policy_loader_exists(void)
20{
21	/*
22	 * Don't activate MAC if the policy loader doesn't exist.
23	 * If the initrd includes /sbin/init but real-root-dev has not
24	 * mounted on / yet, activating MAC will block the system since
25	 * policies are not loaded yet.
26	 * Thus, let do_execve() call this function every time.
27	 */
28	struct path path;
29
30	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
31		printk(KERN_INFO "Not activating Mandatory Access Control now "
32		       "since %s doesn't exist.\n", tomoyo_loader);
33		return false;
34	}
35	path_put(&path);
36	return true;
37}
38
39/**
40 * tomoyo_load_policy - Run external policy loader to load policy.
41 *
42 * @filename: The program about to start.
43 *
44 * This function checks whether @filename is /sbin/init , and if so
45 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
46 * and then continues invocation of /sbin/init.
47 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
48 * writes to /sys/kernel/security/tomoyo/ interfaces.
49 *
50 * Returns nothing.
51 */
52void tomoyo_load_policy(const char *filename)
53{
54	char *argv[2];
55	char *envp[3];
56
57	if (tomoyo_policy_loaded)
58		return;
59	/*
60	 * Check filename is /sbin/init or /sbin/tomoyo-start.
61	 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
62	 * be passed.
63	 * You can create /sbin/tomoyo-start by
64	 * "ln -s /bin/true /sbin/tomoyo-start".
65	 */
66	if (strcmp(filename, "/sbin/init") &&
67	    strcmp(filename, "/sbin/tomoyo-start"))
68		return;
69	if (!tomoyo_policy_loader_exists())
70		return;
71
72	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
73	       tomoyo_loader);
74	argv[0] = (char *) tomoyo_loader;
75	argv[1] = NULL;
76	envp[0] = "HOME=/";
77	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
78	envp[2] = NULL;
79	call_usermodehelper(argv[0], argv, envp, 1);
80	tomoyo_check_profile();
81}
82